Since August 2016, the National Security Agency has suffered a continual stream of devastating failures. Their internal hacking group, known as Tailored Access Operations (TAO), was breached 15 months ago by hackers calling themselves the “Shadow Brokers,” which has been dribbling out the contents of the NSA’s most prized hacking tools. The result has been a wave of internet crime — ransomware, lost files, and network attacks that disrupted businesses and cost hundreds of millions of dollars.
And as this New York Times story illustrates, the agency has been completely incapable of figuring out how the breach happened. Their computer networks could have been penetrated, or they could have someone on the inside leaking the tools. But after more than a year, they have not been able to plug the leak. It’s long past time the NSA was forced to stop hacking, and to start protecting the American people from the sort of tools they create.
At the time of the leak last year, I speculated that the NSA was exposing the American people to online attack, but I was not prepared for how bad it would be. Several huge ransomware attacks (in which a computer is infiltrated, its hard drive encrypted, and the de-encrypt key held for a bitcoin ransom) using NSA hacking tools have swept the globe, hitting companies like FedEx, Merck, and Mondelez International, as well as hospitals and telecoms in 99 countries.
Even NSA partisans admit that this leak is creating much worse problems than the Snowden revelations (which were, after all, carefully vetted by journalists before being published). And despite a months-long internal investigation, the NSA still isn’t even sure what sort of leaks these are, let alone how the hackers are doing it.
In theory, one could imagine a security trade-off between setting up a hacking program to spy on other countries, and a program to find and patch security vulnerabilities in American software and computer networks.
In practice, it’s now beyond question that the benefits of developing these hacking tools pale in comparison to the danger they pose simply by existing. The NSA might be able to hire the best computer scientists in the world, but they are manifestly incapable of keeping the tools they produce secure. (The Shadow Brokers are apparently associated with the Russian government, which, for whatever reason, is seemingly a lot better at hacking than the American one.)
Software and computer systems are an integral part of American society, and private individuals and companies — not to mention government agencies and election administrators — need to be protected from every single tool the NSA has ever produced.
And after that, the TAO needs to be shut down for the foreseeable future. Instead, the NSA should research computer vulnerabilities, and when they find one, quietly inform the afflicted party so they can fix it before word gets out. Indeed, the agency could do no small service by twisting arms to simply get people to install security patches — especially large corporations, who as a rule drag their feet about keeping their software (generally ancient and highly vulnerable versions of Windows) up to date until there is a crisis.
I think the real reason why the NSA has a hacking program can be found in the following phrase from the Times article, about why people join the agency: “[N]owhere else can they hack without getting into legal trouble…” Breaking into foreign computer networks, creating security exploits, calling yourself an “operator,” and generally doing cool spy stuff like in the movies is exciting and stimulating. People create excuses that legitimize this practice, despite the endless cavalcade of failure.
By contrast, stuff like walloping Equifax over the head with a metaphorical cricket bat until they fix their appallingly insecure computer systems, or helping government departments implement ironclad end-to-end encryption to protect sensitive communications, is rather dull. But until some future date when the American state has become competent enough to keep a secret again, that’s what our secret computer professionals should be doing. American national security simply can’t afford any more NSA bungling.